SystemBC Malware Evolves to Evade Detection with Tor and Advanced C2 Hiding
SystemBC, a versatile malware known as Coroxy, is increasingly used by ransomware gangs to establish hidden persistence and proxy malicious traffic, now leveraging Tor for stealthier command-and-control.
A potent cyberattack tool, SystemBC, also known by the alias Coroxy, is enabling threat actors to maintain hidden access within enterprise networks and route malicious traffic through compromised hosts, thereby evading detection. First observed around 2018-2019, this Windows malware functions as a SOCKS5 proxy, a backdoor, and a remote access tool, making it a versatile weapon sold on underground forums and adopted by numerous criminal groups.
Security researchers have linked SystemBC to some of the most destructive ransomware operations in recent years, including Ryuk, Egregor, Conti, BlackBasta, Play, and Rhysida. Its ability to blend into normal network traffic by proxying other malware's communications makes it particularly dangerous, as defenders struggle to distinguish malicious connections from legitimate activity. This stealth capability has made it a preferred choice for ransomware operators seeking to operate undetected before deploying their destructive payloads.
SystemBC is frequently deployed after initial access is gained by loaders such as Buer, QBot, or Emotet. Once established, it provides attackers with a reliable channel to push additional tools, execute scripts, and maintain persistent control over compromised systems. Its modular design and relatively small footprint contribute to its effectiveness across a wide range of environments, from small businesses to large enterprises.
At its core, SystemBC establishes an encrypted connection to a command-and-control (C2) server. While earlier versions relied on raw TCP and SOCKS5 protocols, newer iterations have shifted towards using Tor. This transition, facilitated by a client resembling the open-source mini-tor library, significantly enhances its stealth, as Tor traffic is often less scrutinized and blends more easily into normal network activity. The malware embeds known Tor directory-authority gateway addresses directly within its binary, further aiding its connection establishment.
Communication with the C2 server involves a 100-byte packet. The initial 50 bytes contain a plaintext RC4 key, while the subsequent 50 bytes carry RC4-encrypted host and user details. This encryption method complicates analysis, making it difficult for security professionals to interpret the transmitted data. Beyond its proxying capabilities, SystemBC acts as a remote execution engine, capable of running various file types and scripts, including EXE files, DLL modules, shellcode, VBS, BAT, CMD, and PowerShell scripts, all delivered from the C2 server.
SystemBC's operational flow typically involves establishing persistence after initial compromise. It often copies itself to a randomly named folder under ProgramData and creates persistence layers through scheduled tasks and registry Run key entries. This dual approach ensures that the malware survives system reboots. Security teams are advised to monitor for randomly named scheduled tasks, unexpected CurrentVersion Run registry entries, and anomalous outbound Tor or SOCKS5 traffic.
Given SystemBC's reliance on in-memory execution and randomized file naming, traditional signature-based antivirus tools can be easily bypassed. Therefore, behavior-based detection methods are strongly recommended for effective identification and mitigation. Simulating these attack techniques in a controlled environment is also a practical way for organizations to identify security gaps before they are exploited by attackers.